| Author | Messages | |
rkaramchand
Posts:76
 | | 11/19/2009 2:53 PM |
| Joe
Correct me if I am wrong
Here is my understating
The machine account password change is initiated by the computer every 30 days by default . Since Windows 2000, all versions of Windows have the same value. This behavior can be modified to a custom value using the following group policy setting in Active Directory.
Machine account passwords as such do not expire in Active Directory. They are exempted from the domain's password policy. It is important to remember that machine account password changes are driven by the CLIENT (computer), and not the AD. As long as no one has disabled or deleted the computer account, nor tried to add a computer with the same name to the domain, (or some other destructive action), the computer will continue to work no matter how long it has been since its machine account password was initiated and changed.
So if a computer is turned off for three months nothing expires. When the computer starts up, it will notice that its password is older than 30 days and will initiate action to change it. The Netlogon service on the client computer is responsible for doing this. This is only applicable if the machine is turned off for such a long time.
If the machine was down for a long time, that scavenger thread will not run and the password will not get out of sync in the local store and Active Directory.
After Netlogon service starts the Workstation service scavenger thread wakes up. If the password is not older than MaximumPasswordAge, the scavenger thread goes back to sleep and sets itself to wake up when the password will reach that age. Otherwise, the scavenger thread will attempt to change the password. If it cannot talk to a DC, it will go back to sleep and try again in ScavengeInterval minutes.
ScavengeInterval controls how often the workstation scavenger thread runs - the workstation scavenger is responsible for changing the machine password if necessary.
HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters
Value: ScavengeInterval REG_DWORD 60 to 172800 Seconds (48 hours)
Default : 900 (15 minutes)
MaximumPasswordAge determines when the computer password needs to be changed.
Key = HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters
Value = MaximumPasswordAge REG_DWORD
Default = 30
Range = 1 to 1,000,000 (in days)
Group policy setting:
Computer Configuration\windows Settings\Security settings\Local Policies\Security Options
Domain member: Maximum machine account Password age
To clear things up, it is 7 days on Windows NT by default, and 30 days on Windows 2000 and up.
The trust password follows the same setting. So Trust between two NT 4 domains is 7 days. Trusts between Windows 2000 and up and anything else is 30 days.
So what this means is if 2000 and NT4 trust password is 30 days.
2000 to 2000 is 30 days.
2000 to 2003 is 30 days.
2003 to 2003 is 30 days.
Each Windows-based computer maintains a machine account password history containing the current and previous passwords used for the account. When two computers attempt to authenticate with each other and a change to the current password is not yet received, Windows then relies on the previous password. If the sequence of password changes exceeds two changes, the computers involved may be unable to communicate, and you may receive error messages.
The local copy of the machine password is stored under:
HKLM\SECURITY\Policy\Secrets\$machine.ACC
Rajeev
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of joe
Sent: Thursday, November 19, 2009 8:49 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] To disable or not to disable (a stale computer account) - That is the question
And in fact, computer passwords never need to change which is a setting that can be controlled from the client itself (see http://support.microsoft.com/kb/154501) and often is when VPN software is in use.
You also have issues with non-MSFT solutions that join the domain like Samba and some NAS solutions that may be derived from Samba. You also have cluster accounts which never change their password (this was supposed to be changing but I have no clue if it did).
To put it bluntly, there is no definitive authoritative way from MSFT to determine if a computer account is truly inactive. Your best guess is likely a combination of the password age combined with the lastLogonTimeStamp. But I wouldn’t even stake my name on that being absolutely 100% guaranteed. Every company needs to define the process by which they define a computer account inactive and eligible for the end stages of lifecycle management. This is why oldcmp won’t directly delete any account that wasn’t first disabled. I almost went so far as to check the repl metadata for the userAccountControl attribute to make sure that the account had been disabled for at least a month but that wasn’t authoritative enough and I decided that at some point I had to trust the judgment of the admins. ;o)
joe
--
O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Thursday, November 19, 2009 7:19 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] To disable or not to disable (a stale computer account) - That is the question
No. Computers themselves are responsible for changing their own passwords. They don't expire from the AD side like user accounts can/should. If the password hasn't been changed by the computer because its been offline, the password is still the same and the computer can successfully log in the next time it connects.
-- dloder.blogspot.com --
--- On Thu, 11/19/09, Crosby, Damian <Damian.Crosby@morganstanley.com<mailto amian.Crosby@morganstanley.com>> wrote:
From: Crosby, Damian <Damian.Crosby@morganstanley.com<mailtoamian.Crosby@morganstanley.com>>
Subject: RE: [ActiveDir] To disable or not to disable (a stale computer account) - That is the question
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Date: Thursday, November 19, 2009, 5:41 AM
Hi,
Note that disabling the computer account in AD means that when the computer tries to build a secure channel to a DC in the domain – a process during which the computer account authenticates with the DC – the authentication will fail and no secure channel will be created. As such a domain user logging on to that computer won’t be able to interactively logon to the domain (the user can still logon locally to the computer itself).
But if the computer has been offnet for more than 30 days the trusted secret is invalid and the machine should not do this anyway correct?
Thanks.
________________________________
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Grillenmeier, Guido
Sent: 19 November 2009 08:23
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] To disable or not to disable (a stale computer account) - That is the question
It’s not about the computer’s user (i.e. owner of the physical box) being able to logon on other machines in the domain “anyway” as he/she has a valid account and password. That user will authenticate to the domain even through other channels which don’t require the computer account to ever authenticate itself (for example, through an external OWA link or Outlook Anywhere etc.).
What you miss to consider is that any computer account is a derivative of a user object in AD. And when a computer authenticates to the domain, the “Authenticate User” SID is added to the computers security token (either NTLM token or Kerberos ticket). As such any process running under the security context of the _computer_ can be used to access anything in the domain that is accessible to an Authenticated User – and by default that is a whole lot of stuff… Of course computer accounts can also be made members of security groups, giving them further reach to wherever those groups are assigned access to.
And that is why you want to disable and eventually remove “stale” computer accounts. It’s the same reason for why you want to disable and – depending on your policies – eventually remove stale user accounts. Note that disabling the computer account in AD means that when the computer tries to build a secure channel to a DC in the domain – a process during which the computer account authenticates with the DC – the authentication will fail and no secure channel will be created. As such a domain user logging on to that computer won’t be able to interactively logon to the domain (the user can still logon locally to the computer itself).
How old you allow computer passwords to get really depends on your environment and security requirements. If you have a lot of travelling users that don’t connect back to the network more than once every six weeks, then you might consider a computer account to be “stale” if the password is older than 42 days. Or maybe 60 days to give the users some “grace time”. In other environments you may consider a computer that hasn’t authenticated to the domain for two weeks a big enough thread to your infrastructure, that you disable them much earlier. In any case, you need to have processes in place to re-enable disabled computer accounts, should this be required – in security sensitive environments this may include a security check which must first be executed on the computer offline.
/Guido
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Crosby, Damian
Sent: Mittwoch, 18. November 2009 20:54
To: activedir@mail.activedir.org
Subject: [ActiveDir] To disable or not to disable (a stale computer account) - That is the question
A question for the collective brains of this community...
If a machine has been offnet for greater than the password reset (typically more than 30 days) and now requires that the secret is reset by way of netdom etc could (should) an active user still logon in this stale state?
Developing this further if you disable a computer account it quite clearly tells you in ADUC that users on this computer will not be able to logon. What does disabling a computer account do that is extra in halting the authentication process and is it really relevant given that I can authenticate a user from anywhere if I have a valid account\pwd.
The reason I ask is that in housekeeping stale accounts I am not sure there's any value in disabling them if they have been offnet for say 180 days....
Thoughts
Damian Crosby, Vice President
Morgan Stanley | Technology & Data
25 Cabot Square | Canary Wharf | Floor 02
London, E14 4QA
Phone: +44 20 7677-4531
Damian.Crosby@morganstanley.com<http://us.mc1104.mail.yahoo.com/mc/compose?to=Damian.Crosby@morganstanley.com>
________________________________
NOTICE: If received in error, please destroy, and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error. We may monitor and store emails to the extent permitted by applicable law.
________________________________
NOTICE: If received in error, please destroy, and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error. We may monitor and store emails to the extent permitted by applicable law.
| | | |
|
|